Reversing MFC Applications 


— Externalist 


Introduction 


MFC Programs seems to be the mainstream of Win32 GUI programming these days, 
other than QT applications that are rapidly gaining popularity recently. A few days ago, 
I suddenly got interested in embedded system reversing but was confronted by the task 
to reverse an application that uploads the firmware image to the embedded system. As 
expected, the application was MFC, and I was a bit taken back. I wasn’t that confident in 
MFC reversing. 

I’ve seen many people reverse MFC applications in the same way as 


reversing pure Win32 API applications. Put breakpoints on certain APIs, search for a 


+ 


arget string, search for a certain constant, etc etc... There is no problem with that. The 
same principles used in non-MFC app reversing can also be applied to MFC apps 
except... 

Except you can’t find the Window Procedure within the application. Window Procedures 
are like the root function of where all the messages are processed, and when you know 
where it’s located, you can always track down your target in a root to descendant kind 
of approach. It may take more time than the ‘start from a certain function, string etc’ 
approach, but when the later approach may sometimes make you get lost in a labyrinth 
of code and functions, the former usually never goes wrong. 

The problem is, all the WndProc code is managed by the MFC framework, and the 
framework gives a slight twist to it to make it work in a different process than what we 
already know about Window Procedures. The principles are the same, but the structure 
is a little bit different, and the Message dispatcher code is no longer handled by the 
programmer. The question is, where is that code and what does it look like? And how 
could we use it to our advantage? 

That will be the main focus of this tutorial, and I will start by showing the usual 


approach, and point out the problems that may occur in certain situations. 


Reversing an MFC app using the conventional method 


‘4 REVERSOR KeygenMe #3 [| 


Name | Externalist 


Serial | 1234 


This is a simple KeygenMe written in MFC. The usual approach most people would take 
is to set a breakpoint on GetWindowTextA or MessageBoxA and backtrace from there. 
Breaking on GetWindowTextA and pressing Alt+ F9(return to user code) brings us right 
in the middle of the key generating algorithm. 


( CPU - main thread, module Keygenme 
004012CB C645 FC 73 Moy 


OO4012CF |]. C645 FD 6A |MOV 6A 
O04012D3 |}. Cr45 FO FFOOdMOY [LOC 
OO4012DA)]. FFI5 64204009 CALL DWORD PTR DS: [<@USER32.GetD1 gItemT¢lLGetD1 gItemTexta 


OO4012E0 | ES eek 
OO4012E3 |]... 7D OC 
OO4012E5|}> 6A 00 
OO4012E7 |]. 68 E9030000 
OO4012EC|]., E9 F4000000 


CMP EAX,3 

JGE SHORT Keygenme.004012F1 
PUSH 0 

PUSH 3E9 

IMP Keygenme.004013E5 


O04012F1|[ > 33c9 XOR ECX, ECX USER32.77D1218C 
OO4012F3|]. 85co TEST EAX, EAX 

O004012F5]]}., 7E 14 JLE SHORT Keygenme. 00401308 
OO4012F7|}> OFBES4O0D C8 |P-MOVSX EDX,BYTE PTR 
OO4012FC|]. 83FA 20 CMP EDX, 20 

OO4012FF |] .* 72 E4 IB SHORT Keygenme.004012E5 
OO401301|]. 83FA 7E CMP EDX, 7E 

00401304 || .* 77 DF JA SHORT Keygenme.004012E5 
OO401306|]. 41 INC ECX USER32.77D1218C 
00401307 |]. 3Bc8 CMP ECX, EAX 

00401309}, .* 7C EC JL SHORT na ad 004012F7 
OO40130B]|> 8D45 c8 LEA EAX, [LOCAL. 1¢ 
OO40130E|}. 50 PUSH EAX 

OO40130F |}. E8 23010000 [CALL Keygenme.00401437 
O0401314|]. sBbdés Mov EBX, EAX 

00401316|]. 8Db45 cc LEA EAX, 

00401319]}. 50 PUSH EAX 

OO40131A}}. E8 18010000 [CALL Keygenme.00401437 
OO40131F |}. 8945 EC Mov [Ll s EAX 
00401322|]. 8D45 DO LEA EAX, alr 
00401325|]. 50 PUSH EAX 

00401326|]}. E8 0CO10000 |CALL Keygenme. OO401437 
OO40132B|}. 8b45 D4 LEA EAX, (L ee 
OO40132E]}. SO PUSH EAX 

OO40132F|[—. E8 03010000 {CALL Keygenme. sical 
00401334|]. 8D45 Dé LEA EAX, [L 

00401337|]. 50 PUSH EAX 

OO401338]}. E8 FAOOOOOO |CALL Keygenme.00401437 
0040133D|[. 8BFO Moy ESI,EAX 

OO40133F\]. 8Db45 DC LEA EAX, [L 

on401347ll. 450 PIISH FAX 


Pretty fast, no need to worry about how the Window messages are processed. It’s just 
simple as that. 


Here’s another example. 


BAH BAdols.., 


CAS ASH... 


cH? SU 8s... 


Clicking on the menu brings up a Messagebox. 


Okay, now I want to see what function is responsible for bringing up that MessageBox. 
Set a breakpoint on CreateWindowEx, DialogBoxParamA etc... and run. 

Good, it breaks on DialogBoxIndirectParamW. Okay Ctrl+F9 from here to find where 
it’s called... what? MFC code? Alt+F9. F7. This is the code in a custom dll. I want to 
find the code in the application, not the dll!! Ctrl+F9. F7. Ctrl+F9. This is getting 
boring... Setting a break on execute on the code section. Break. But this is not it!!! It’s 
just a small stub that eventually jumps back to MFC code... Alt+F9, F7, Ctrl+ F9, When 
is this going to end... That’s enough. I’m going to search for the string and find 
references to it. Search. It’s a resource. I’m going to find references to the the resource 
ID and so on and so on... 

Eventually I find out that it’s faster to set a breakpoint on DestroyWindow and Ctrl+ F9, 
Alt+F9 etc from there, but that’s just one too many guesses and involves a lot of luck. 
Could there be a more faster and elegant way to find the exact function that handles a 
certain messageli.e. the fu it gets ed af ‘lickin: ¢ entry)? 

The answer is yes. But first, you must get familiar with the Message Map concept in 
MFC. 

What is a MessageMap? A Message Map is basically an array of structures where each 
structure represents the characteristics of a certain Window Message. This structure is 


called AFX_MSGMAP_ENTRY and looks lke this. 


struct AFX_MSGMAP_ENTRY { 


UINT nMessage; // Window Message 

UINT nCode; // Control Code or WM_NOTIFY code 
UINT nD; // control ID 

UINT nLastID; // last control ID 

UINT nSig; // Function Prototype 


AFX_PMSG pfn; // Message Handler function 


The last one is the most important one, pfn, the Message Handler function. Wait, 
Message Handler Function? Does this ring a bell? As you might have guessed, every 
time nMessage Window Message is sent, the function stored in pfn will be called to 
dispatch the Window Message. No. Actually, The resource ID of the button, menu, 
listview or whatever generated the message must be between nID ~ nLastID. nCode 
and nSig are not that important here so I’ll omit the details. 

So once we found the MessageMap, then we have a complete layout of what functions 
are going to be called on what kind of Window Messages and resource IDs. Now let’s 
dig a little bit deeper and see how these MessageMaps are created in the first place. 
When you first create an MFC project, you start by opening the MFC Class Wizard({for 


C++ 6.0) and define functions for certain Window Messages. 


MFC ClassWizard (? {x} 
Message Maps | Member Variables | Automation | ActiveX Events | Class Info | 
Project: Class name: Add Classes. | 
MFC_test3 Y CMFC_test3Dlg o 
Add Functio 
D:##...4MFC_test3Dlg.h, D:##...4MFC_test3DIg.cpp _ Aid Function | 
Object IDs: Messages: Delete Function | 
CMFC test3Dlg BN_CLICKED Edit Cod 
BN_DOUBLECLICKED eo ee | 


IDC BUTTONI 
IDCANCEL 
IDOK 


Member functions: 


¥ DoDataExchange 


W OnButton1 ON_IDC_BUTTON1:BN_CLICKED 

W OnDoubleclickedBuON_IDC_BUTTON1:BN_DOUBLECLICKED 

W OnlnitDialog ON_WWH_INITDIALOG ] 
W OnPaint ON_WM_PAINT v 
Description: 


As you can see, I’ve added 2 functions for the event BN_CLICKED(message occur 
vhen the button is clicked once) and BN_DOUBLECLICKED(message 
for IDC_BUTTONI1. The two entries get added in the Message 


BEGIN MESSAGE_MAP(CMFC_test3D1g, CDialog) 
//4{4AFX_MSG_MAP(CMFC_test3D1g) 
ON WH SYSCOMMANDC) 
ON WH PAINT() 


ON_BN CLICKED(IDC_BUTTON1, OnButton1) 
ON BN _DOUBLECLICKED(IDC BUTTON1, OnDoubleclickedButton1) 


END_MESSAGE_MAP() 


Remember the AFX_MSGMAP_ENTRY structure? The first entry ON_BN_CLICKED will 


be mapped into the structure like this. 


struct AFX_MSGMAP_ENTRY 

INT Oxi i // WM_COMMAND 

INT 0} // usually 0 

NT IDC_BUTTON1; 

INT IDC_BUTTON1; 

INT some_kind_of_value; // depends on the function prototype 
AFX_PMSG CMFC_test3Dlg::OnButton1; 


Ge ce ie & 


This is also the exact layout of how this entry of the MessageMap will be written to the 
file. Likewise, the order of the structures will be preserved. To be more specific, the 
AFX_MSGMAP_ENTRY structure corresponding to ON_.BN_DOUBLECLICKED will be 
written to the file right after ON_BN_CLICKED, and ON_WM_QUERYDRAGICON right 
before ON_BN_CLICKED, and so on. Hence, the 5 structure entries will be written to 
the file in the exact same order as they were declared in the source file. Those 5 
structure entries constructs one section of the Entire Message Map. By one section, I 
mean just for the CMFC_test3Dlg class. Each class has its own Message Map containing 
several AFX_MSGMAP_ENTRY entries, and the one I just showed you is attached to the 
CMFC_test3Dlg class. Thus, the OnButtonl function is called ONLY in the event of the 
WM_COMMAND sent by the window associated to the CFMC_test3Dlg class. The MFC 
framework guarantees it to work that way. 

If it’s hard to get a picture of how the Message Map looks, here’s a preview of how it 


will look in IDA after a little bit of refining. 


For example, sub_401500 will be called when WM_COMMAND is sent by the 


window(class) the MessageMap belongs to, and the resource ID that triggered 
WM_COMMAND equals Ox3E9. 

Okay, now that we know how the MessageMaps are created, how are they used by the 
MFC framework and what does the code actually look like? 

First we look at the MFC Class hierarchy chart to get a better understanding of the 
MFC framework. 


fj! Microsoft Foundation Class Library Version 7.0 


File Ser 


Application Architecture 
CCmdTarget eee 


user objects 


CDocument Exceptions Mem! 
CException Shi 
leSt 
user application COleLinkingDoc | Mo) 
CDocTemplate _ A 
“user documents 
-CSocks 
COleClientitem Stdio 
‘OleDocObjectitem CSimpleException — Int 
¢ 
user client items F 
COleServeritem 
UserException 
user Server items 
Window Support 


Frame Windows Dialog Boxes Controls 
Button 
user MDI windows 
‘ComboBox 
user MDI workspaces ‘ComboBoxEx 
CDateTimeCtrl _ 
user SDI windows CEdit 
CFormView Ss ._ (CH miEditCtriBase 
Control Bars puser form views 
CDaoRecordview 
OleResizeBar 
Property Sheets user record views 
ChonthGaieT 
‘OlePropertyPage 


user dialog boxes 
ScroliBar 


MultiPageDHtmIDialoc 


SpinButtonCtrl 


ye rr | 


The picture shows that the CWnd class is 
derived from CCmdTarget, and a bit of googling reveals that CCmdTarget::OnCmdMsg(Q) 
function deals with dispatching all the Window Messages coming from every CWnd 
Object, or every Window. Any ideas now? 

How about hooking the Message Dispatching function in CCmdTarget::OnCmdMsg(Q) and 
filtering only the messages of our interest? Sounds like a good idea but first we need to 
know how the CCmdTarget::OnCmdMsg() function looks like. Take a look at the code 


below. 


for (pMessageMap = GetMessageMapQ:; pMessageMap != NULL; 
pMessageMap = pMessageMap->pBaseMap) 


ASSERT(pMessageMap != pMessageMap->pBaseMap); 
IlpEntry = AfxFindMessageEntry(pMessageMap->lpEntries, nMsg, nCode, nID); 
if dpEntry != NULL) 
{ 
// found it 
return _AfxDispatchCmdMsg(this, nID, nCode,W 
lpEntry->pfn, pExtra, lpEntry->nSig, pHandlerInfo); 


This code was taken from MFCWSRCWCMDTARG.CPP. This is only the last part of 
code that deals with the Message Handling, the part we’re interested in. 
GetMessageMap() retrieves the current class’s MessageMap. nMsg, nCode, nID 
correspond to the Window Message, Notification Code, and Identifier 

. They are all passed along with the Message Map to 
AfxFindMessageEntry which searches if there is an AFX_MSGMAP_ENTRY that 
matches the conditions. If found, then it calls the Dispatcher AfxDispatchCmdMsg, 
which merely calls AFX_MSGMAP_ENTRY.pfn with the appropriate arguments. If not 
found in the current MessageMap, then it goes to the next MessageMap pMessageMap- 
>pBaseMap. This is the Base class’s MessageMap. This means that if the 
AFX_MSGMAP_ENTRY matching the condition can’t be found in the current 
MessageMap, then it keeps going down the base classes until it meets the root class. If 
it is not found in any of the MessageMaps, then the Message is simply not handled. 


Let’s take a look at the disassembly of this code. 


DWORD PTR SS: [EBP+C] 


DWORD PTR SS: [EBP+8] 
DWORD PTR SS: [EBP+C] 


DWORD PTR SS: [EBP+14] 
DWORD PTR SS: [EBP+10] 


DWORD PTR SS: [EBP+C] 
DWORD PTR SS: [EBP+8] 


The loop starts from 5F80249F and the call right before it (CALL [EAX+ 30]) is the call 
to GetMessageMapQ). The obtained pointer to the AFX_MSGMAP structure looks like 
this. 


AFX_COMDAT AFX_DATADEF const AFX_MSGMAP CTestView::messageMap = 
{ 

&CTestView::_GetBaseMessageMap, 

&CTestView::_messageEntries [0 ] 


And the second member messageEntries points to the actual MessageMap. The next 
call AfxFindMessageEntry deals with finding the correct AFX_MSGMAP_ENTRY and 


returning a pointer to the - structure. This function is defined in 


MFCWSRCW WinCore.cpp and looks like this. 


const AFX_MSGMAP_ENTRY* AFXAPI 


AfxFindMessageEntry(const AFX_MSGMAP_ENTRY* lpEntry, 


UINT nMsg, UINT nCode, UINT nID) 
{ 


#if defined(_M_IX86) && !defined(_AFX_PORTABLE) 


// 32-bit Intel 386/486 version. 


ASSERT (offsetof(AFX_MSGMAP_ENTRY, 
ASSERT (offsetof(AFX_MSGMAP_ENTRY, 
ASSERT (offsetof(AFX_MSGMAP_ENTRY, 
ASSERT(offsetof(AFX_MSGMAP_ENTRY, 
ASSERT (offsetof(AFX_MSGMAP_ENTRY, 


nMessage) == 0); 
nCode) == 4); 
nID) == 8); 
nLastID) == 12); 
nSig) == 16); 


_asm 
{ 
MOV EBX,lpEntry 
MOV EAX,nMsg 
MOV EDX,nCode 
MOV ECX,nID 
__loop: 
CMP DWORD PTR [EBX+ 16],0 ; nSig (O => end) 
JZ __failed 
CMP EAX,DWORD PTR [EBX] ; nMessage 
JE __found_message 
__next: 
ADD EBX,SIZE AFX_MSGMAP_ENTRY 
JMP short __loop 
__found_message: 
CMP EDX,DWORD PTR [EBX+ 4] ; nCode 
JNE __next 
// message and code good so far 
// check the ID 
CMP ECX,DWORD PTR [EBX+ 8] ; nID 


JB __next 


CMP ECX,DWORD PTR [EBX+ 12] ; nLastID 
JA __next 

// found a match 
MOV IpEntry, EBX ; return EBX 
JMP short __end 

__failed: 
XOR EAX,EAX ; return NULL 
MOV IpEntry, EAX 


return lpEntry; 
#else // AFX PORTABLE 
// C version of search routine 


while (lpEntry—>nSig != AfxSig_end) 


{ 
if dpEntry->nMessage == nMsg && IpEntry->nCode == nCode && 
nID >= |pEntry->nID && nID <= lpEntry->nLastID) 
{ 
return IpEntry; 
} 
IpEntry+ + ; 
} 


return NULL; // not found 
#endif // AFX_PORTABLE 
} 


You could see that it’s implemented in inline assembly to increase performance in speed 
because it 1s a very frequently called function. Reading the code tells you that 
AfxFindMessageEntry finds the MessageMap Entry that matches the currently 
processed nID, nCode, and nMessage. If it finds the Message, it goes to the 
AfxDispatchCmdMsg call, and if not, it gets the Base class’s MessageMap and etc etc... 
as explained earlier. AfxDispatchCmdMsg does nothing more than call the function 
stored in the AFX_MSGMAP_ENTRY.pfn member passing the arguments in a correct 


form depending on the nSig member 


So what if we hook the part where it calls AfxFindMessageEntry and filter only the 


messages of our interest? It’s easy to find resource ID of a certain resource, we know 
what Window Message we’re targeting, and it’s easy enough to find a certain window’s 
handle with any kind of spy tool. 

Now let’s go back to the Disassembly. 


DWORD PTR SS: [EBP+C] 


DWORD PTR SS: [EBP+C] 


DWORD PTR SS: [EBP+8] 
DWORD PTR SS: [EBP+C] 


I’ve set a conditional bp right on the AfxFindMessageEntry call. Setting a conditional 
breakpoint is sufficient to set up a filter for certain messages. The expression looks like 


this. 


Modify conditional log breakpoint at MFC42u. 5F8024A9 [x] 


Condition: 
([edi+20]==200564) && (ebx==111) && ([ebp+3]==4E2E) 


Explanation: Expression: 


Decode value of expression as: [Assumed by expression x! 


Never Oncondition Always Pass count (dec.} 


Pause program: c s oe 0. 


Log value of expression: oe s s 


Log function arguments: co ts “iy 


If program pauses, pass following commands to plugins: 


edi is the this pointer, and ebx is the Window Message. The disassembly of the 
CCmdTarget::OnCmdMsg tells you that. Now some of you might be wondering. How did 
I find the location of CCmdTarget::OnCmdMsg in the first place? 

For those of you who don’t know Import symbols from library files, ’ll give you a brief 


explanation of how it’s done. If you already know this stuff, then you can skip this part. 


First open the Executable Modules window and find a name that starts with MFC. 


Executable modules 


[size [entry [Name [File version | 


OOSCDOO0 |4310777C|ieframe |7.00.6000.16757/C:\WINDOWS\system32\1 eframe.d1 1 
00374000 | 43876959 |mshtml 7.00.6000.16735 |C:\WINDOWS\system3 2\mshtml .d11 
OO1A6000 |4B24F66D | gdiplus |5.1.3102.3352 OC: \WINDOWS\\WinSxS\x86_Mi crosoft.wWindows.GdiPlu 
00038000 |5A481626|uxtheme |6.00.2900.2180 (C:\WINDOWS\system3 2\uxtheme. d11 
00017000 | SE7OEE78 |OLEPRO32/5.1. 2600. 2180 C:\WINDOWS\system3 2\0LEPRO32.DLL 
OOOF 2000 |SF8O06A61 MFC42u | 6.02.8071.0 FESAWTROOWS Nester WacezuLDUL 
00054000 | 605F8898 | NETAPI32|5.1.2600.3462 (1C:\WINDOWS\system3 2\NETAPI32. d11 
OOOODC00 MFC42L0C | 6.00.8665.0 C:\WINDOWS\\system3 2\MFC42L0C.DLL 
00009000 | 62342EAD|LPK 5.1.2600.2180 ()C:\WINDOWS\system3 2\LPK.DLL 
00078000 |6339FESA|jscript |5.7.0.5730 C:\WINDOWS\\system3 2\jscript.d11 
00056000 |65CE7A51/hnetcfg |5.1.2600.2180 ()C:\WINDOWS\system3 2\hnetcfg.d11 
OOO3FOOO|719814CD |mswsock [5.1.2600.3394 (1C:\WINDOWS\system3 2\mswsock.d11 
OOO0O8000 | 719C142E |wshtcpip|5.1.2600.2180 ()C:\WINDOWS\System3 2\wshtcpip.d11 
719D0000 | 00008000 | 719D1642|WS2HELP |5.1.2600.2180 (4 C:\WINDOWS\system3 2\WS2HELP.d11 
nan 7 | 779F1 273 WS? 22 15 4 BAN At1aAN MC WINNS cvetem? a\Wws? 32 d71 


719ENnNN 
$3 |i) 


There are many versions of the MFC module, each starting with “mfc”(mic42u, mfc7 1d, 


mfc90 etc). 

Next you should have Visual Studio installed, and look for the file mfc42u.lib in the 
VC9O8WMFCWLIB folder. Copy that file into a new folder in the ollydbg folder(! named 
mine lib) and go back to Olly. Debug -> Select Import Libraries -> Add -> Select 
mfc42.lib -> Process -> Restart the program. Then double click the MFC42u entry in 
Executable Modules, and Ctrl+N. The Ordinals are all correctly resolved to names. No 


more MFC ordinal nightmares! © 


Names in iPlus3 


Address Type 


OO6DAZSC | .1 MFC42u.#1008_CProperty Sheet: :AddPage 
OOSBDA7BB | .7 MPC42u.#1083_CPtrList: :AddTail 
OO6DAGOS | .7 MPC42u.#1089_CWinApp: :AddToRecentFi lel 
OO6DA340 | .14 MPC42u.#1105_AfxBeginThread 

OO6DA128 | .1 MPC42u.#1130_AfxDynami cDownCast 
OOS6DASAC| .7 MPC42u.#1131_AfxEnabl] eControlContainer 
OO6DALES | .1 MPC42u.#1137_AfxExtractSubString 
OO6DAS BB) .7 MPC42u.#1143_AfxFindResourceHandle 
OO6DA3 84 | .7 MPC42u.#1150_AfxGetaAfxwndProc 
OO6DAS?C}.1 MPC42u.#1155_AfxGetEmpty String 
OO6DA72C | .1 MPC42u.#1165_AfxGetModul eState 
OO6DASBS | .14 MPC42u.#1172_AfxGetThread 

OO6DA084 | 14 MPC42u.#1173_AfxGetThreadState 
OO6DA048 | .1 MFC .#1184_AfxIsValidAddress 
OO6DA5CO).1 MPC42u.#1196_AfxMessageBox 

OO6DASB4 | .7 MPC42u.#1202_AfxOleInit 

OOBDAPCC | .7 MFC .#1240_AfxSetModuleState 
OOSBDAS AB) .7 MPC42u.#1244_AfxSocketInit 
OO6BDAZEO).7 MPC42u.#1569_AfxWi nMain 


OO6DA?CB | .1 MPC42u.#1571_AfxwWndProc 
<3) iii 


But then, what if you don’t have Visual Studio in your possession? For instance 
mfc90.dll requires mfc90.lib and mfc90.lib is included in Visual Studio 2008, but you 
might only have Visual Studio 2003 at the current moment. If you have a fast internet 
connection, then downloading Visual Studio 2008 from M$’s website will take less than 
an hour, but if not, you’ll have to find another way. 

First, load your target dll into IDA. Select yes when it asks to download the symbols 
from the Microsoft Symbol Server. Then wait patiently. When you start seeing the 
Navigation band showing blue colors, go to the Functions pane. Most of the time you’ll 
see all the names resolved correctly, but if not then you’ll have to download the 
symbols manually. Use SymbolTypeViewer or any other Symbol retriever program to 
download the symbols and load it into the program via File —-> load file -> PDB file. 
After that, produce a Map file with File —> Produce File -> Create Map File. Make sure 
you check the ‘Demangle names’ checkbox, otherwise you’ll only see gibberish function 
names. Then load the Map File into Olly using MapConv, or GODUP plugin. The function 
names are resolved except a large number of ordinals but those we don’t really need so 
no need to worry. 

Now back to Olly and go to the MFC42.dll space and Ctrl+N. Type in 


ccmdtarget::oncmdmsg and it should take you straight to the function. 


Find: CCMDTARGET:: ONCMDMSG SEE 
Address Section |Type 


OO54E168| .text User CCmdTarget : :GetDi spatchMap (void) 
OO54E156| .text User CCmdTarget: :GetEventSinkMap (void) 


0054E144 | .text User CCmdTarget : :GetExtraConnectionPoints (¢ 
OOS4E14A) .text User CCmdTarget: :GetInterfaceHook(void con: 
OOS4E15C| .text User CCmdTarget: :GetInterfaceMap (void) 
OO54E186| .text User CCmdTarget : :GetTypeInfoCount (void) 
OOS4E17A| text User CCmdTarget: :GetTypeLib(ulong, ITypeLib — 
OOS4E180 | .text User CCmdTarget : :GetTypeLlibCache (void) 
OOS44E10) .text User CCmdTarget: :InternalAddRef (void) 
OO54E192| .text User CCmdTarget: :IsInvokeAl lowed(1ong) 
OOS4E19E | .text User CCmdTarget: :OnCmdMsg(uint,int,void *,/ 
OOS5S4E150| .text User CCmdTarget : :OnCreateAggregates (void) 
OO54E228 | text User CCmdTarget : :OnFinalRelease(woid) 


OO6DAD4C).idata |Import 1ClassM.CColorButton: :cCColorButton 
OO6DACF4|.idata |Import /|1iC] .CColorButton: :GetColor 
OO6DACEC|.idata [Import [iC] .CColorButton: :SetColor 
OOBDACFO).idata |Import 1ClassM.CColorButton: :SetDefaultcolor 
OO6DAD44|}.idata |Import icla .cCColorButton: :SetTrackSelectic 
OO6DADS4)|.idata  |Import .cCColorButton: :~CColorButton 
OO6DB1FC|.idata | Import -CColorMenu: :InitializeHook v 


< 


iii] 


Press Enter two times and you’re right on the Entry point of this function. Remember, 


we’re trying to hook on a certain condition so all we need to do is 
find those three variables. The rest is irrelevant. Let’s find the Message first. 


Remember the AfxFindMessage function? 


AfxFindMessageEntry(pMessageMap->IpEntries, nMsg, nCode, nID) 


It is called with two of the variables we’re looking for. nMsg and nID. Looking at the 
disassembly, it is easy to find that nMsg is being passed via EBX. nID is passed from 
[ebp+ 8]. So we have nID and nMsg. But what with hWnd? 

Do you still remember the MFC Class hierarchy? All the Window classes are derived 
from the CWnd class, and CWnd is derived from the CCmdTarget class. If you did some 
study in C++ reversing , then you would 
know that the CWnd::m_hWnd member will be in the exact same offset from the this 
pointer for every CWnd derived class. If m_hWnd is in offset +20 of a CFrameWnd 
object then it is guaranteed to be in +20 offset of a CDialog 
Object . | found the offset Ox20 by tracing a little bit until I 
found a function that passes hWnd as a parameter. 


So now the following condition should be understood. 


Modify conditional log breakpoint at MFC 42u.5F8024A9 


Condition: 


({edi+20)==200564) 8& (ebx==111) && ([ebp+3]==4E2E) 


Explanation: Expression: 


Decode value of expression as: Assumed by expression x! 


Never Oncondition Always Pass count (dec.} 


Pause program: Cc s 0. 


Log value of expression: e s s 


Log function arguments: i i> wo 


If program pauses, pass following commands to plugins: 


(Break on a window handle) && (break on WM_COMMAND) && (break on resource ID 
4E2Eh). The window handle can be obtained by a spying tool(! use spy & capture), and 
the resource ID with Resource Hacker. Not so hard isn’t it? :P 

Say I was looking for the function to be called when I click a certain Menu entry. I know 
the Menu ID is Ox4E2E with a little help of Resource Hacker, and WM_COMMAND is the 
Window Message that gets sent when I click the menu entry. I also know that the main 
window which owns the Menu has a handle of 0x200564. The condition expression will 
be set up exactly as above. 


Now the question is how are we going to use the results? First, let’s see what happens 


when the debugger breaks. 


CPU - main thread, module MFC42u 
A Registers (FPU) 


DWORD PTR SS: [EBP+C] 


DWORD PTR SS: [EBP+8 
DWORD PTR SS: [EBP+C] 


Okay, it breaks, and I stepped over the function to see the return value. That’s very 
cool and all but what next? 


Remember the prototype of AfxFindMessageEntry? 


const AFX_MSGMAP_ENTRY* AFXAPI 
AfxFindMessageEntry(const AFX_MSGMAP_ENTRY*® IpEntry, 
UINT nMsg, UINT nCode, UINT nID) 


It returns a pointer of AFX_MSGMAP_ENTRY that matches the conditions. Knowing the 
AFX_MSGMAP_ENTRY means that we also know AFX_MSGMAP_ENTRY.pfn which 
means we know what function is going to be called! Let’s see what the structure looks 


like in IDA. 


Doesn’t look so pretty... After a little bit of ‘Define Data’ing. 


-Fdata: 66574206 111h 
-Fdata:665742D4 GFFFFFFFFhH 
-Fdata:665742D8 4E2Eh 


-Fdata:665742DC 4E2Eh 
-Fdata:665742E6 2Ch 
-Fdata:665/742E4 offset sub_4A7266 


Cool, so sub_4A7260 is going to be called when the Menu entry is clicked. We no longer 
have to search for imports, search for strings, ctrl+ £9, alt+ f9, and all that stuff. © 

We know one entry of the MessageMap, but why not go a bit further and make a script 
to define the MessageMap entries in a nice structure form? 


Save the following text in a *.h file and load it into IDA with File -> Load File -> Parse 


C Header File. 


struct AFX_MSGMAP_ENTRY 
{ 

int nMessage; 

int nCode; 

int NID; 

int nLastID; 

int* NSIG; 

void* PFN; 

be 


And do the same thing with this too. 


enum MY_WM_MESSAGES { 

MY_WM_NULL = 0x0000, 
MY_WM_CREATE = 0x0001, 
MY_WM_DESTROY = 0x0002, 
MY_WM_MOVE = 0x0003, 
MY_WM_SIZE = 0x0005, 
MY_WM_ACTIVATE = 0x0006, 
MY_WM_SETFOCUS = 0x0007, 
MY_WM_KILLFOCUS = 0x0008, 
MY_WM_ENABLE = OxOOOA, 
MY_WM_SETREDRAW = OxOOOB, 
MY_WM_SETTEXT = OxOO0C, 
MY_WM_GETTEXT = OxOOOD, 
MY_WM_GETTEXTLENGTH = OxOOOE, 
MY_WM_PAINT = OxOOOF, 
MY_WM_CLOSE = 0x0010, 
MY_WM_QUERYENDSESSION = Ox0011, 
MY_WM_QUERYOPEN = 0x00138, 
MY_WM_ENDSESSION = 0x0016, 
MY_WM_QUIT = 0x0012, 
MY_WM_ERASEBKGND = 0x0014, 
MY_WM_SYSCOLORCHANGE = 0x0015, 


MY_WM_SHOWWINDOW = 0x0018, 
MY_WM_WININICHANGE = Ox001A, 
MY_WM_SETTINGCHANGE = OxO001A, 
MY_WM_DEVMODECHANGE = 0x001B, 
MY_WM_ACTIVATEAPP = Ox001C, 
MY_WM_FONTCHANGE = 0x001D, 
MY_WM_TIMECHANGE = Ox001E, 
MY_WM_CANCELMODE = OxO0O1F, 
MY_WM_SETCURSOR = 0x0020, 
MY_WM_MOUSEACTIVATE = 0x0021, 
MY_WM_CHILDACTIVATE = 0x0022, 
MY_WM_QUEUESYNC = 0x0023, 
MY_WM_GETMINMAXINFO = 0x0024, 
MY_WM_PAINTICON = 0x0026, 
MY_WM_ICONERASEBKGND = 0x0027, 
MY_WM_NEXTDLGCTL = 0x0028, 
MY_WM_SPOOLERSTATUS = 0x002A, 
MY_WM_DRAWITEM = 0x002B, 
MY_WM_MEASUREITEM = 0x002C, 
MY_WM_DELETEITEM = 0x002D, 
MY_WM_VKEYTOITEM = Ox002E, 
MY_WM_CHARTOITEM = 0x002F, 
MY_WM_SETFONT = 0x0030, 
MY_WM_GETFONT = 0x0031, 
MY_WM_SETHOTKEY = 0x0032, 
MY_WM_GETHOTKEY = 0x0033, 
MY_WM_QUERYDRAGICON = 0x0037, 
MY_WM_COMPAREITEM = 0x0039, 
MY_WM_GETOBJECT = 0x003D, 
MY_WM_COMPACTING = 0x0041, 
MY_WM_COMMNOTIFY = 0x0044, 
MY_WM_WINDOWPOSCHANGING = 0x0046, 
MY_WM_WINDOWPOSCHANGED = 0x0047, 
MY_WM_POWER = 0x0048, 
MY_WM_COPYDATA = 0x004A, 
MY_WM_CANCELJOURNAL = 0x004B, 


MY_WM_NOTIFY = Ox004E, 
MY_WM_INPUTLANGCHANGEREQUEST = 0x0050, 
MY_WM_INPUTLANGCHANGE = 0x0051, 
MY_WM_TCARD = 0x0052, 
MY_WM_HELP = 0x0053, 
MY_WM_USERCHANGED = 0x0064, 
MY_WM_NOTIFYFORMAT = 0x0055, 
MY_WM_CONTEXTMENU = 0x007B, 
MY_WM_STYLECHANGING = 0x007C, 
MY_WM_STYLECHANGED = 0x007D, 
MY_WM_DISPLAYCHANGE = 0x007E, 
MY_WM_GETICON = 0x007F, 
MY_WM_SETICON = 0x0080, 
MY_WM_NCCREATE = 0x0081, 
MY_WM_NCDESTROY = 0x0082, 


MY_WM_NCCALCSIZE = 0x0083, 


MY_WM_NCHITTEST = 0x0084, 
MY_WM_NCPAINT = 0x0085, 
MY_WM_NCACTIVATE = 0x0086, 
MY_WM_GETDLGCODE = 0x0087, 
MY_WM_SYNCPAINT = 0x0088, 
MY_WM_NCMOUSEMOVE = OxO0AO, 
MY_WM_NCLBUTTONDOWN = OxO0A1, 


MY_WM_NCLBUTTONUP = Ox00A2, 


MY_WM_NCLBUTTONDBLCLK = Ox00A3, 


MY_WM_NCRBUTTONDOWN = Ox00A4, 
MY_WM_NCRBUTTONUP = Ox00A5, 
MY_WM_NCRBUTTONDBLCLK = 0x00A6, 


MY_WM_NCMBUTTONDOWN = 0x00A7, 


MY_WM_NCMBUTTONUP = 0x00A8, 
MY_WM_NCMBUTTONDBLCLK = OxO0AQ, 


MY_WM_NCXBUTTONDOWN = OxOOAB, 


MY_WM_NCXBUTTONUP = OxOOAC, 
MY_WM_NCXBUTTONDBLCLK = OxOOAD, 
MY_WM_INPUT = OxOOFF, 


MY_WM_KEYFIRST = 0x0100, 


MY_WM_KEYDOWN = 0x0100, 
MY_WM_KEYUP = 0x0101, 

MY_WM_CHAR = 0x0102, 
MY_WM_DEADCHAR = 0x0108, 
MY_WM_SYSKEYDOWN = 0x0104, 
MY_WM_SYSKEYUP = 0x0105, 
MY_WM_SYSCHAR = 0x0106, 
MY_WM_SYSDEADCHAR = 0x0107, 
MY_WM_UNICHAR = 0x0109, 
MY_WM_KEYLAST_NT5O1 = 0x0109, 
MY_WM_KEYLAST_PRE5O1 = 0x0108, 
MY_WM_IME_STARTCOMPOSITION = 0x010D, 
MY_WM_IME_ENDCOMPOSITION = OxO10E, 
MY_WM_IME_COMPOSITION = OxO10F, 
MY_WM_IME_KEYLAST = Ox0O10F, 
MY_WM_INITDIALOG = 0x0110, 
MY_WM_COMMAND = 0Ox0111, 
MY_WM_SYSCOMMAND = 0x0112, 
MY_WM_TIMER = 0x0113, 
MY_WM_HSCROLL = 0x0114, 
MY_WM_VSCROLL = 0x0115, 
MY_WM_INITMENU = 0x0116, 
MY_WM_INITMENUPOPUP = 0x0117, 
MY_WM_MENUSELECT = 0x011F, 
MY_WM_MENUCHAR = 0x0120, 
MY_WM_ENTERIDLE = 0x0121, 
MY_WM_MENURBUTTONUP = 0x0122, 
MY_WM_MENUDRAG = 0x0123, 
MY_WM_MENUGETOBJECT = 0x0124, 
MY_WM_UNINITMENUPOPUP = 0x0125, 
MY_WM_MENUCOMMAND = 0x0126, 
MY_WM_CHANGEUISTATE = 0x0127, 
MY_WM_UPDATEUISTATE = 0x0128, 
MY_WM_QUERYUISTATE = 0x0129, 
MY_WM_CTLCOLORMSGBOX = 0x0132, 
MY_WM_CTLCOLOREDIT = 0x01338, 


U 
U 


MY_WM_CTLCOLORLISTBOX = 0x0134, 
MY_WM_CTLCOLORBTN = 0x0135, 
MY_WM_CTLCOLORDLG = 0x0136, 
MY_WM_CTLCOLORSCROLLBAR = 0x0137, 
MY_WM_CTLCOLORSTATIC = 0x0138, 
MY_WM_MOUSEFIRST = 0x0200, 
MY_WM_MOUSEMOVE = 0x0200, 
MY_WM_LBUTTONDOWN = 0x0201, 
MY_WM_LBUTTONUP = 0x0202, 
MY_WM_LBUTTONDBLCLK = 0x0203, 
MY_WM_RBUTTONDOWN = 0x0204, 
MY_WM_RBUTTONUP = 0x0205, 
MY_WM_RBUTTONDBLCLK = 0x0206, 
MY_WM_MBUTTONDOWN = 0x0207, 
MY_WM_MBUTTONUP = 0x0208, 
MY_WM_MBUTTONDBLCLK = 0x0209, 
MY_WM_MOUSEWHEEL = 0x020A, 
MY_WM_XBUTTONDOWN = Ox020B, 
MY_WM_XBUTTONUP = 0x020C, 
MY_WM_XBUTTONDBLCLK = 0x020D, 
MY_WM_MOUSELAST_5 = 0x020D, 
MY_WM_MOUSELAST_4 = 0x020A, 
MY_WM_MOUSELAST_PRE_4 = 0x0209, 
MY_WM_PARENTNOTIFY = 0x0210, 
MY_WM_ENTERMENULOOP = 0x0211, 
MY_WM_EXITMENULOOP = 0x0212, 
MY_WM_NEXTMENU = 0x0213, 
MY_WM_SIZING = 0x0214, 
MY_WM_CAPTURECHANGED = 0x0215, 
MY_WM_MOVING = 0x0216, 
MY_WM_POWERBROADCAST = 0x0218, 
MY_WM_DEVICECHANGE = 0x0219, 
MY_WM_MDICREATE = 0x0220, 
MY_WM_MDIDESTROY = 0x0221, 
MY_WM_MDIACTIVATE = 0x0222, 
MY_WM_MDIRESTORE = 0x02238, 


MY_WM_MDINEXT = 0x0224, 
MY_WM_MDIMAXIMIZE = 0x0225, 
MY_WM_MDITILE = 0x0226, 
MY_WM_MDICASCADE = 0x0227, 


MY_WM_MDIICONARRANGE = 0x0228, 
MY_WM_MDIGETACTIVE = 0x0229, 
MY_WM_MDISETMENU = 0x0230, 
MY_WM_ENTERSIZEMOVE = 0x0231, 
MY_WM_EXITSIZEMOVE = 0x0232, 
MY_WM_DROPFILES = 0x0233, 
MY_WM_MDIREFRESHMENU = 0x0234, 
MY_WM_IME_SETCONTEXT = 0x0281, 
MY_WM_IME_NOTIFY = 0x0282, 
MY_WM_IME_CONTROL = 0x0283, 
MY_WM_IME_COMPOSITIONFULL = 0x0284, 
MY_WM_IME_SELECT = 0x0285, 
MY_WM_IME_CHAR = 0x0286, 
MY_WM_IME_REQUEST = 0x0288, 
MY_WM_IME_KEYDOWN = 0x0290, 
MY_WM_IME_KEYUP = 0x0291, 
MY_WM_MOUSEHOVER = Ox02A1, 
MY_WM_MOUSELEAVE = 0x02A3, 
MY_WM_NCMOUSEHOVER = O0x02A0, 
MY_WM_NCMOUSELEAVE = 0x02A2, 
MY_WM_WTSSESSION_CHANGE = 0x02B1, 
MY_WM_TABLET_FIRST = 0x02c0, 
MY_WM_TABLET_LAST = Ox02df, 
MY_WM_CUT = 0x0300, 

MY_WM_COPY = 0x0301, 
MY_WM_PASTE = 0x0302, 
MY_WM_CLEAR = 0x0303, 
MY_WM_UNDO = 0x0304, 
MY_WM_RENDERFORMAT = 0x0305, 
MY_WM_RENDERALLFORMATS = 0x0306, 
MY_WM_DESTROYCLIPBOARD = 0x0307, 
MY_WM_DRAWCLIPBOARD = 0x0308, 


MY_WM_PAINTCLIPBOARD = 0x0309, 
MY_WM_VSCROLLCLIPBOARD = Ox030A, 
MY_WM_SIZECLIPBOARD = Ox030B, 
MY_WM_ASKCBFORMATNAME = 0x0380C, 
MY_WM_CHANGECBCHAIN = 0x030D, 
MY_WM_HSCROLLCLIPBOARD = 0x030E, 
MY_WM_QUERYNEWPALETTE = Ox030F, 
MY_WM_PALETTEISCHANGING = 0x0310, 
MY_WM_PALETTECHANGED = 0x0311, 
MY_WM_HOTKEY = 0x0312, 
MY_WM_PRINT = 0x0317, 
MY_WM_PRINTCLIENT = 0x0318, 
MY_WM_APPCOMMAND = 0x0319, 
MY_WM_THEMECHANGED = 0x031A, 
MY_WM_HANDHELDFIRST = 0x0358, 
MY_WM_HANDHELDLAST = Ox035F, 
MY_WM_AFXFIRST = 0x0360, 
MY_WM_AFXLAST = 0x0387F, 
MY_WM_PENWIMNFIRST = 0x0380, 
MY_WM_PENWINLAST = Ox038F, 
MY_WM_APP = 0x8000, 

MY_WM_USER = 0x0400}: 


IDA already has WM_MESASGE enums but they are all split into tiny pieces so I just 
made a new one to merge all of them into one piece. 

Next, define the first member of AFX_MSGMAP_ENTRY nMessage to the 
MY_WM_MESSAGES enum. 


Then place the cursor on the beginning of the MessageMap entry. 


* ~.pdata:66573A66 dd 6FFFFh 


* .rdata:66573A64 dd offset sub _49D8A6 
* .rdata:66573A68 dd offset sub_49D966 
* .rdata:66573A6C dd 8 

~ .edata:60573a70 of F_573A76 dd offset sub_49D926 ; DATA 
* .rdata:60573A74 dd offset unk_573A78 
* .rdata:66573A78 unk_573A78 db 1 ; DATA 
* .rdata:66573A79 db 6 

* .rdata:66573A7A db 6 

* .rdata:66573A7B db 8 

* .rdata:66573A7C db 6 

* .rdata:66573A7D db 6 

* .pdata:66573A7E db 8 

* .rdata:66573A7F db 6 

* .rdata:66573A86 db 6 

* .rdata:66573A81 db 8 

* .rdata:66573A82 db 6 

* .rdata:66573A83 db 5] 

* .rdata:66573A84 db 8 

* .rdata:66573A85 db 8 

* .rdata:66573A86 db 5] 

* .rdata:66573A87 db 5] 

* .rdata:66573A88 db 9 

* .rdata:66573A89 db 8 

* .rdata:66573A8A db 8 

* .rdata:66573A8B db 6 

* .rdata:66573A8C db 96h ; ¢ 

* .rdata:66573A8D db GEGh ; ¢ 

* .rdata:66573A8E db 49h ; I 

* .rdata:66573A8F db 8 


The entry usually starts as an array of bytes with an AFX_MSGMAP structure right 
above it. Press shiftt+f2 and use this IDC script to define all the AFX_MSGMAP_ENTRY 


structures for one section of MessageMap in one shot. 


// borrowed and edited from Pnluck’s source © 


auto idStruct, ptr, isOk, addr; 
addr = ScreenEAQ; 


idStruct = GetStrucIdByName("AFX_MSGMAP_ENTRY"); 
if( idStruct == -1) { 
idStruct = DefineStructQ; 
if(idStruct == 0) { 
Warning("WnImpossible declare the structureWn"); 


return; 


ptr = addr; 
isOk = 1; 


while( Dword(ptr) != 0) { 
if(MakeStructEx(ptr, 24, "AFX_MSGMAP_ENTRY") == 0) { 
isOk = 0; 
break; 
} 
ptr = ptr + 24; 
} 
MakeStructEx(ptr, 24, "AFX_MSGMAP_ENTRY"); 
if(isOk == 0) { 
Warning("WnImpossible set structures at %xWn", addr); 
} 
else { 


Message("Complete"); 


And the result. 


rdata:66573BF8 


-rdata: 66573016 
-rdata:66573C28 
-data: 66573046 
-rdata:66573C58 
-rdata: 66573076 
-rdata:86573C88 
-rdata:66573C88 
-rdata:66573CA6 
-rdata:66573CA6 
-Fdata:66573CB8 
-rdata:66573CB8 
-rdata:66573CD6 
-rdata:66573CD8 
-rdata:686573CE8 
-rdata:66573CE8 
-rdata:66573D66 
-rdata:66573D66 


AFX_HSGMAP_ENTRY 
AFX_HSGMAP_ENTRY 
AFX_HSGMAP_ENTRY 
AFX_HSGMAP_ENTRY 
AFX_MSGMAP_ENTRY 
AFX_HSGMAP_ENTRY 


AFX_HSGMAP_ENTRY 
AFX_HSGMAP_ENTRY 
AFX_HSGMAP_ENTRY 
AFX_HSGMAP_ENTRY 
AFX_HSGMAP_ENTRY 
AFX_MSGMAP_ENTRY 
AFX_HSGMAP_ENTRY 
AFX_HSGMAP_ENTRY 


AFX_MSGHAP_ENTRY 
AFX_MSGHAP_ENTRY 
AFX_MSGHAP_ENTRY 
AFX_MSGHAP_ENTRY 
AFX_MSGHAP_ENTRY 
AFX_MSGHAP_ENTRY 
AFX_MSGHAP_ENTRY 
AFX_MSGHAP_ENTRY 


AFX_MSGMAP_ENTRY 
AFX_MSGHAP_ENTRY 
AFX_MSGMAP_ENTRY 
AFX_MSGHAP_ENTRY 


AFX_MSGMAP_ENTRY 


-ydata:80573A78 stru_S73A78 AFX_MSGMAP_ENTRY <MY_WM CREATE, 6, 8, 6, 9, offset sub_49E696> 
-rdata:86573A78 
-rdata:66573A96 
-rdata:66573AA8 
-rdata:66573ACB 
-rdata:66573AD8 
-rdata:66573AF6 
-'data:66573B 68 
-data:66573B68 
-rdata:66573B26 
-rdata:86573B38 
-rdata:66573B56 
-rdata:66573B68 
-rdata:66573B86 
-rdata:86573B98 
-tdata:66573BB6 
-rdata:686573BC8 
-rdata:66573BC8 
-rdata:66573BE86 


; DATA XREF: .rdata:@8573A74To 
<MY_WM_SIZE, 6, 6, 6, 11h, offset sub_4A27AG> 
<MY_WM_DESTROY, 6, 6, 6, OCh, offset sub_4A1D16> 
<MY_WM_CLOSE, 6, 6, 6, 6Ch, offset sub_4A2286> 
<MY_WM_ERASEBKGND, 6, 6, 6, 1, offset sub_4C1576> 
<MY_WM_PAINT, 6, 6, 6, 8Ch, offset sub_4A2496> 
<MY_WM_GETMINMAXINFO, 6, 6, 6, 1Fh, # 

offset sub_4A39D6> 

<MY_WM_LBUTTONDOWN, 8, 8, 8, 31h, offset sub_4A3ADO> 
<MY_WM_LBUTTONUP, 8, 8, 6, 31h, offset sub_4A3D36> 
<MY_WM_MOUSEFIRST, 6, 6, G, 31h, offset sub_4A3EB> 
<MY_WM_MOUVE, 6, 6, 6, OFh, offset sub_4A4276> 
<MY_WM_TIMER, 6, 6, 8, GDh, offset sub_4A4666> 
<MY_WM_SYSCOMMAND, 6, 6, 6, 12h, offset sub_49F666> 
<MY_WM_SETCURSOR, 8, 6, 6, 3, offset sub_49F436> 
<MY_WM_LBUTTONDBLCLK, 6, 6, G, 31h, # 

offset sub_4A3A56> 

<MY_WM_ENTERIDLE, 6, 6, 6, 1Bh, offset sub_49F4C@> 
<MY_WM_KILLFOCUS, 6, 6, 6, 17h, offset sub_49F496> 
<MY_WM_ACTIUATE, 6, 6, 6, 1Ch, offset sub_49F226> 
<MY_WM_SHOWWINDOW, 6, 6, 6, GEh, offset sub_4828B0> 
<MY_WM_COPYDATA, 6, 8, 8, 2Dh, offset sub_49F4E> 
<MY_WM_DROPFILES, 8, 6, 6, GDh, offset sub_49FSE@> 
<MY_WM_SETFOCUS, 6, 6, 8, 17h, offset sub_49F486> 
<MY_WM_COMMAND, 6, 8687h, 8687h, OCh, # 

offset sub_4ASE96> 

<MY_WM_COMMAND, 6, 868Ch, 868Ch, OCh, # 

offset sub_4A5ED6> 

<MY_WM_COMMAND, 6, 4E21h, 4E21h, OCh, # 

offset sub_4A5F16> 

<MY_WM_COMMAND, 6, 4E22h, 4E22h, OCh, # 

offset sub_4A6386> 

<MY_WM_COMMAND, 6, 4E23h, 4E23h, OCh, # 

offset loc_4A63F 6> 

<MY_WM_COMMAND, 6, 4E24h, 4E24h, OCh, # 

offset loc_4A6466> 


Looks pretty neat. © Now let’s go back to the AFX_MSGMAP_ENTRY we found when 
the debugger stopped. The address was 5742D0. 


-rdata:665742B8 
-Fdata: 66574200 
-rdata: 66574206 
-rdata:665742E8 
-rdata:685742E8 
-rdata: 665743686 
-rdata: 66574366 
-rdata:66574318 


offset sub 4A6D76> 


AFX_MSGMAP_ENTRY <MY_WM COMMAND, OFFFFFFFFh, 4E2Eh, 4E2Eh, 2Ch, 
offset sub 4A7266> 


AFX_MSGMAP_ENTRY <MY_Wh_COMMAND, OFFFFFFFFH, 4E2Fh, 4E2Fh, 2Ch, 


offset sub_4A7266> 


AFX_MSGMAP_ENTRY <MY_WH_COMMAND, OFFFFFFFFh, 4E36h, 4E36h, 2Ch, # 


offset sub_4A74D6> 


AFX MSGMAP ENTRY <MY WM COMMAND, OFFFFFFFFH, 4E39h, 4E39h, 2Ch, # 


Awesome. So sub_4A7260 gets called when I click the Menu entry. 


The Menu belongs to the Main Window so we have the whole MessageMap for the Main 
Window. To find MessageMaps for the Sub windows, you just have to follow the same 
procedure, changing the hWnd condition each time. 

Now we have the ability to find the exact function we’re interested in and a lot of time 
has been saved. © Now another question arises. Does this work for all versions of 
mfc*.dlls? 

We know the Message is always going to be handled by CCmdTarget::OnCmdMsg, 


that’s the core part of the framework and will most likely not change. The part we’re 


interested in is the code around AfxFindMessageEntry. It’s that code which decides if 


the expression in the conditional bp needs to be changed everytime. 


DWORD PTR SS: [EBP+8] 
DWORD PTR SS: [EBP+C] 


mfc42+.dll 


DWORD PTR SS: [EBP+8] 
DWORD PTR SS: [EBP+C] 


mfc71*.dll 


»  oOFeo UL 
Seed Oo 

> BB 11010000 
> 8BO?7 


muy URRY Fim 253 Leorte ys, cRA 
INZ SHORT MFC42u.5F802496 
MOV EBX,111 

MOV EAX,DWORD PTR DS: [EDI] 


pDrovctou 


SF8o248F 


- 8BCF Mov ECX, EDI 
ap (FPSO. 30 CALL DWORD PTR DS: [EAX+30] 
sy EB 15 JMP SHORT MFC42u.5F8024B4 
> FF#5 08 PUSH DWORD PTR SS: [EBP+8] 
. FF/S 0¢ PUSH DWORD PTR SS: [EBP+C] 
5 53 PUSH EBX 
6 FF?6 O4 PUSH DWORD PTR DS: [ESI+4] 


ALL «MFC42u .AFxFindMessageEntry (AFX_MSGM 
TEST EAX, EAX 

INZ SHORT MFC42u.5F8024C1 

CALL DWORD PTR DS: [EST] 

MoV ESI, EAX 

TEST ESI,ESI 

IN? CHADT MCCA CORNeAac 


mfc80*.dll 


OFF 

Elects Oo 

BF 11010000 
8B03 


IEDSI EUL,EVL T 
INZ SHORT mfc90u.78A6D333 

MOY EDI,111 

MOV EAX,DWORD PTR DS: [EBX] 


FF50 30 CALL DWORD PTR DS: [EAX+30] 
38|, EB 15 SHORT mfc90u.78A6D34F 
FF?5 08 PUSH DWORD PTR SS: [EBP+8] nt 
FF?5 OC PUSH DWORD PTR SS: [EBP+C] 
57 PUSH EDI rT 


FF76 04 PUSH DWORD PTR DS: [ESI+4] 
ALL mfc90u. 78A3F5EF 
TEST EAX, EAX 


INZ SHORT mfc90u.78A6D35F 


85C0 
Meta he 


FF16 CALL DWORD PTR DS: [ESI] 
8BFO MOY ESI, EAX 
833E 00 CMP DWORD PTR DS: [ESI],0 
“ 75 Ed INZ SHORT mfc90u.78A6D33A 
A 33C0 xXOR EAX, EAX 
5F POP EDI k 
mfc90*.dll 


So everything else is the same except for the mfc90*.dll family. EDI and EBX is 
swapped, and EBX no longer holds nMsg, EDX does. Therefore, it would be more 
appropriate to write [esp+4]==nMsg instead of EBX==nMsg so it would work 
universally and use EBX as the this pointer only in the case of mfc90*.dll. I implemented 


this in OllyScript and the code looks like this. 


/ 

OllyScript - Script to set a Conditional Breakpoint MFC Messages 
Author : Externalist 

Supports : mfc42,mfc71,mfc80,mfc90 

«/ 


var Dil_CodeBase,Condition, BP_Loc,temp 
var nMsg,nID,hWnd 


/* Edit these lines */ 


/* Make sure you put a ‘O’ prefix if the hex value starts with an Alphabet */ 


// // 
MOV hWnd,"123" // Window Handle 

MOV nMsg,"111" // WM_COMMAND 

MOV nID,"1"_—// Resource ID 

// // 


MOV Condition,"([esp+ 4]=="+ nMsg+") && 
({edit+ 20]=="+ hWnd+")" 


GMA "mfc42",CODEBASE 
CMP $RESULT,O 

JNZ FIND_OPCODE 

GMA "mfc42",CODEBASE 
CMP $RESULT,O 

JNZ FIND_OPCODE 

GMA "mfc42",CODEBASE 
CMP $RESULT,O 

JNZ FIND_OPCODE 

GMA "mfc42",CODEBASE 
CMP $RESULT,O 

JNZ FIND_OPCODE 
//mfc42 family 


GMA "mfce71",CODEBASE 
CMP $RESULT,O 

JNZ FIND_OPCODE 

GMA "mfe71u",CODEBASE 
CMP $RESULT,O 


(Lebp+ 8]=="+ nID+ ") 


&& 


JNZ FIND_OPCODE 

GMA "mfc71d",CODEBASE 
CMP $RESULT,O 

JNZ FIND_OPCODE 

GMA "mfc71lud",CODEBASE 
CMP $RESULT,O 

JNZ FIND_OPCODE 

//mfc71 family 


GMA "mfc80",CODEBASE 
CMP $RESULT,O 

JNZ FIND_OPCODE 

GMA "mfc80u",CODEBASE 
CMP $RESULT,O 

JNZ FIND_OPCODE 

GMA "mfc80d",CODEBASE 
CMP $RESULT,O 

JNZ FIND_OPCODE 

GMA "mfc80ud",CODEBASE 
CMP $RESULT,O 

JNZ FIND_OPCODE 
//mf£c80 family 


GMA "mfc90",CODEBASE 
CMP $RESULT,O 

JNZ FIX_CONDITION 

GMA "mfc90u",CODEBASE 
CMP $RESULT,O 

JNZ FIX_CONDITION 

GMA "mfc90d",CODEBASE 
CMP $RESULT,O 

JNZ FIX_CONDITION 

GMA "mfc90ud",CODEBASE 
CMP $RESULT,O 

JNZ FIX_CONDITION 
//mf£c90 family 


MSG "module not found :(" 
JMP RETURN 


FIX_CONDITION: 
MOV Condition,"(Lespt+ 4]=="+ nMsgt") && (Lebp+ 8]=="+ nID+ ") && 
(Lebx+ 20]=="+ hWnd+")" 


FIND_OPCODE: 

MOV DlIl_CodeBase, RESULT 

FIND Dil_CodeBase,#FF7508FF750C??FF7604E8# 
MOV BP_Loc,$RESULT+ A 

EVAL "Breakpoint set at : {BP_Loc}" 

LOG $RESULT 

BPCND BP_Loc,Condition 


RETURN: 
RET 


These lines 


/* Edit these lines */ 


ee ee eee // 
MOV hWnd,"123" // Window Handle 

MOV nMsg,"111" // WM_COMMAND 

MOV nID,"1"_—_—// Resource ID 

a aan ca a a mea gi // 


must be edited to the values of your target, or either changed later on. I tried to use the 
“ASK” command but Olly keeps on crashing for some odd reason. Therefore, you’ll 


have to either type it in Manually or tweak the script a little bit. 


Now let’s solve a simple crackme using this technique. 


Open cosh’s crackme2.exe in Olly and you will see the familiar MFC entrypoint. 


Now start the app outside Olly and see how the program operates. 


Crackme2 - By CoSH [x] 


Name 


JExTERNALST 


Serial 


ex 
our | 


You could easily guess that the Serial Check algorithm will be executed once the 


‘CHECK’ button is clicked. Now we need the Resource ID of the CHECK button. 


kr Resource Hacker - 
File Edit View Action Help 


Icon : . : 2 
&¥ Dialog Compile Script Hide Dialog | (6) Control position: 7,775! 


a 


Cag 102 102 DIALOGEX 0, 0, 120, 98 
a 1031 STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | 
*)-@j Icon Group EXSTYLE WS_EX_APPWINDOW 
+|- (9 Version Info CAPTION "Crackme2 - By CoSH" 


LANGUAGE LANG GERMAN, SUBLANG GERMAN 

FONT 8, "MS Sans Serif" 

{ 

CONTROL "QUIT", 1, BUTTON, B5S_DEFPUSHBUTTON 
CONTROL "", 1000, EDIT, ES_LEFT | E5_UPPERC 
CONTROL "Name", -1, STATIC, S5_LEFT | W5_CH 
CONTROL "Serial", -1, STATIC, S5_LEFT | W5_ 
CONTROL "", 1001, EDIT, ES_LEFT | E5_UPPERC 
CONTROL [piece qe BUTTON, BS DEFPUSHBUTTC 


w 


4 
| 


Line: 13 334. 


Resource ID is 2. So change the nID member of the script or remember it and change it 
later on. 


Now before starting the app in Olly, run the script and see that the conditional 


breakpoint has been set in the breakpoint window. 


Breakpoints 


jaaress [Woaule [active ___lbssassenbly 


73D1238F MFC42 esp+4]==111) && ( CALL <MFC42.AfxFindMessageEntry (CAF. 


You might want to go to that address by double clicking it because there’s one last thing 
that needs to be changed. 
Now run the app, and find the Window Handle using a spy tool. 


~ Spy Window 
FA % ret] Boel 
Main | General | Styles | Class | Process | Misc | 


Handle: oecoss¢ i i itsti‘“‘SO™CS™SC~C~™S 
Se 


Caption: [Crackme2 - By CoSH 
Class: [#32770 
Parent Window: |(None) » 


First Child: O07FOA4BS8 
Next Window: 002B05B8 
Previous Window: |o0C40870 


» 
» 
» 


Owner Window: |(None) > 


The handle is 6CO0884. Now go to the conditional breakpoint and modify the condition to 


meet your needs. 


Modify conditional log breakpoint at MFC42. 73D1238F [x] 


Condition: 
([esp+4]==111) && ([ebp+8]==1) && ([edi+20)==06C0884 } 


Explanation: Expression: 
v¥ = ¥ 
Decode value of expression as: Assumed by expression 7 


Never Oncondition Always Pass count (dec. ] 


Pause program: s s ce 0. 


Log value of expression: fe Cc Cc 


Log function arguments: c a c 


If program pauses, pass following commands to plugins: 


Cancel | 


Make sure you put a ‘O’ prefix if the hex number starts with an Alphabet. 


Finally, enter a Name and a Serial and press ‘CHECK’. And it breaks! 


DWORD PTR SS: [EBP+8] 
DWORD PTR SS: [EBP+C] 


Cool! Now what? F8 over it to get the AFX_MSGMAP_ENTRY pointer. 


Registers (FPU 


Address is 402320. Load the crackme into IDA and follow the steps presented before to 
define the AFX_MSGMAP_ENTRY structure. 


Then, go to 402320 and use the IDC script to define the AFX_MSGMAP_ENTRY 


structure. Here’s the result. 


And the sub_4014B0 function. 


sub_4614B6 proc near 


var_14= byte ptr -14h 

var_16= byte ptr -16h 
dword ptr -6Ch 
dword ptr -4 


eax, large fs:6 
GFFFFFFFFh 

offset SEH_4614B6 

eax 

large fs:6, esp 

esp, 8 

ebx 

ebp 

esi 

esi, ecx 

edi 

edi, [esi+6A6Gh] 

ecx, edi 
?GetWindowlTextLengthA@CWnd@@QBEHX2 ; Ciind::GetWindowlex 
ebx, ds:PostQuitMessage 
eax, 5 

short loc_461536 


Graph overview 


ebp, [esi+66h] 

ecx, ebp 

?GetWindowTextLengthA@CWnd@@QBEHX2 ; CWind::GetWindowlextLengtha 
eax, 5 

short loc_461536 


Right in the beginning of the Serial Check algorithm. © 

Now I hear some of you guys saying 

‘Well, I press CHECK, pause, Alt+F9, OK, Wala! Right in the middle of the function! © 
That’s like only 5 seconds and yours is like 1 minute! pwned. ©’ 

True. But that’s only for crackmes. There are times when you’re reversing real world 
applications and you just can’t guess what API is being used. Sometimes you try to 
backtrace from an API or string and find yourself completely lost in a code wood and 
those kinds of things make you get frustrated for hours. This is when the above 
technique comes in play. You have a complete layout of what function is going to be 
called on what Window Message, and it never goes wrong, cause MFC works that way 
and the VC compiler ‘Prints’ the Message Map for us reversers to use. © 


Okay, so much for MessageMaps, let’s get to the conclusion. 


Conclusion 


This tutorial was about reversing MFC apps in a more ‘logical’ way instead of mere 
guessing and assuming. The core of this technique is nothing more than setting a 
conditional breakpoint on a certain location, but to understand how it works requires a 
little background knowledge of MFC. You might find the backtracing technique useful 
most of the time, but if you’re completely lost and want to find a good place to start 
among the Huge segments of app code, then the MessageMap locating technique might 
come quite in handy. © But it doesn’t give you the Answer to your problem. It just gives 
a really good place to start, and locating your target from there on is up to your 
reversing skills. But I’m sure you guys are all confident with that. :P 

This concludes the tutorial on MFC reversing. If you have any better ways to reverse 


an MFC application, please drop me a PM at ARTeam. © 
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